1 / 21

Cryptography & Network Security

Cryptography & Network Security. Potential Locations for Confidentiality Attacks. LAN is a broadcast network: Transmission from any station to any other station is visible on the LAN medium to all stations So Eavesdropping by another employee is possible.

hafwen
Télécharger la présentation

Cryptography & Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography & Network Security

  2. Potential Locations for Confidentiality Attacks

  3. LAN is a broadcast network: Transmission from any station to any other station is visible on the LAN medium to all stations • So Eavesdropping by another employee is possible. • Data are transmitted in the form of frames, with each frame containing the source and destination address. • An eavesdropper can monitor the traffic on the LAN and capture any traffic desired on the basis of source and destination addresses. • If part or all of the LAN is wireless, then the potential for eavesdropping is greater.

  4. Active attacks, the attacker needs to gain physical control of a portion of the link and be able to insert and capture transmissions. Passive attack, the attacker simply needs to be able to observe transmissions The communications links involved can be cable (telephone twisted pair, coaxial cable, or optical fiber), microwave links, or satellite channels Twisted pair and coaxial cable can be attacked using either invasive taps or inductive devices that monitor electromagnetic waves Link versus End-to-End Encryption The powerful approach to securing the point is encryption. If encryption is to be used to counter these attacks, then we need to decide what to encrypt and where the encryption gear should be located

  5. Link encryption and end-to-end encryption

  6. end-to-end encryption, The encryption process is carried out at the two end systems. The source host or terminal encrypts the data. The data in encrypted form are then transmitted across the network to the destination terminal . The destination shares a key with the source and so is able to decrypt the data link encryption, each vulnerable communications link is equipped on both ends with an encryption device. Thus, all traffic over all communications links is secured.

  7. Blowfish is a keyed, symmetric block cipherBruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard now receives more attention. Blowfish, a new secret-key block cipher, is proposed. It is a Feistel network, iterating a simple encryption function 16 times. The block size is 64 bits, and the key can be any length up to 448 bits. Blowfish has a 64-bit block size and a variable key length from 32 up to 448 bits. It is a 16-round Feistel cipher and uses large key-dependent S-boxes

  8. Manipulates data in large blocks • Has a 64-bit block size. • Has a scalable key, from 32 bits to at least 256 bits. • Uses simple operations that are efficient on microprocessors. • e.g., exclusive-or, addition, table lookup, modular- multiplication. It does not use variable-length shifts or bit-wise permutations, or conditional jumps. • Blowfish is a variable-length key, 64-bit block cipher. The algorithm consists of two • parts: a key-expansion part and a data- encryption part. Key expansion converts a key of at most 448 bits into several subkey arrays totaling 4168 bytes. • Data encryption occurs via a 16-round Feistel network. Each round consists of a keydependent • permutation, and a key- and data-dependent substitution. All operations are • XORs and additions on 32-bit words.

  9. The P-array consists of 18 32-bit subkeys: P1, P2,..., P18. There are four 32-bit S-boxes with 256 entries each: S1,0, S1,1,..., S1,255; S2,0, S2,1,..,, S2,255; S3,0, S3,1,..., S3,255; S4,0, S4,1,..,, S4,255.

  10. Encryption Blowfish has 16 rounds. The input is a 64-bit data element, x. Divide x into two 32-bit halves: xL, xR. Then, for i = 1 to 16: xL = xL XOR Pi xR = F(xL) XOR xR Swap xL and xR After the sixteenth round, swap xL and xR again to undo the last swap. Then, xR = xR XOR P17 and xL = xL XOR P18. Finally, recombine xL and xR to get the ciphertext. Decryption is exactly the same as encryption, except that P1, P2,..., P18 are used in the reverse order.

  11. The fundamental operations were chosen with speed in mind. XOR, ADD, and MOV • from a cache are efficient on both Intel and Motorola architectures. All subkeys fit in the • cache of a 80486, 68040, Pentium, and PowerPC. • The Feistel Network that makes up the body of Blowfish is designed to be as simple as bpossible, while still retaining the desirable cryptographic properties of the structure.

  12. IDEA(International Data Encryption Algorithm) IDEA is a block cipher which uses a 128-bit length key to encrypt successive 64-bit blocks of plaintext. The encryption scheme uses a total of fifty-two 16-bit subkeys. These are generated from the 128-bit subkey as follows: The 128-bit key is split into eight 16-bit keys which are the first eight subkeys. The digits of the 128-bit key are shifted 25 bits to the left to make a new key which is split into the next eight 16-bit subkeys

  13. The encryption involves modular multiplication with a modulus of ((2^16)+1) and addition with a modulus of (2^16). The 64-bit plaintext block is split into four 16-bit segment which we'll call p1, p2, p3 and p4. The subkeys are s1, s2, s3, s4 ....s52. The encryption consists of eight rounds with each round involving the following steps: p1 x s1 --> d1 p2 + s2 --> d2 p3 + s3 --> d3 p4 x s4 --> d4 d1 XOR d3 --> d5 d2 XOR d4 --> d6 d5 x s5 --> d7 d6 + d7 --> d8 d8 x s6 --> d9 d7 + d9 --> d10 d1 XOR d9 --> d11 d3 XOR d9 --> d12 d2 XOR d10 --> d13 d4 XOR d10 --> d14

  14. After this process the output blocks d12, d13 are exchanged so that d11, d13, d12 and d14 are used as input to the next round (in that order) along with the next 6 subkeys, s7 to s12. This procedure is followed for eight rounds in total giving four output blocks which we'll call e1, e2, e3 and e4. Four more steps using the last four subkeys complete the encryption: e1 x s49 --> c1 e2 + s50 --> c2 e3 + s51 --> c3 e4 x s52 --> c4

  15. Design – Mixing operations from different algebraic groups • XOR • Addition modulo 216 • Multiplication modulo 216 + 1 • Description of IDEA • 64 bit sub blocks: p1, p2, p3, p4. 4 sub-block become the I/P to the first round of the algorithm. There are 8 rounds total • Each round the four 4 sub blocks are XORed, added, and multiplied with one another and with six 16 bit sub-keys • Between rounds the II and III subblocks are swapped • Speed – Twice as fast as DES. iDEA on a 33 MHz 386 machine encrypts data at 880 KB / Sec

  16. Cryptanalysis - Key length is 128 bits. Require 2128(1038) encryption to recover the key • Design a chip can test a billion keys/second(take 1013 years) • Traffic Confidentiality • Knowledge about the number and length of messages between nodes may enable an opponent to determine who is talking to whom. • Identities of partners • How frequently the partners are communicating • Message pattern, message length, or quantity of messages that suggest important information is being exchanged • The events that correlate with special conversations between particular partners

  17. Key Distribution • For symmetric encryption to work, the two parties to an exchange must share the same key, and that key must be protected from access by others • The strength of any cryptographic system rests with the key distribution technique • For two parties A and B • A can select a key and physically deliver it to B. • A third party can select the key and physically deliver it to A and B. • If A and B have previously and recently used a key, one party can transmit the new key to the other, encrypted using the old key. • If A and B each has an encrypted connection to a third party C, C can deliver a key on the encrypted links to A and B.

  18. master key A long-lasting key that is used between a KDC and a principal for the purpose of encoding the transmission of session keys. Typically, the master keys are distributed by noncryptographic means. Also referred to as a key-encrypting key. session key A temporary encryption key used between two principals. such as a frame relay connection or transport connection, and then discarded. key distribution center A system that is authorized to transmit temporary session keys to principals. Each session key is transmitted in encrypted form, using a master key that the key distribution center shares with the target principal.

  19. Random Number Generation • Random numbers play an important role in the use of encryption for various network security applications. • Reciprocal authentication schemes make use of Random numbers • Session key generation, whether done by a key distribution center or by one of the principals • Generation of keys for the RSA public-key encryption algorithm • Two criteria are used to validate that a sequence of numbers is random • 1. Uniform distribution: The distribution of numbers in the sequence should be uniform; that is, the frequency of occurrence of each of the numbers should be approximately the same. • 2. Independence: No one value in the sequence can be derived from the others.

More Related